941310 - Double escape and problem with german ü #2171

stefanpinter · 2021-08-04T13:15:49Z

Description

Hi!

The rule says this:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
But it actually matches this:
\\xbc[^\\\\xbe>][\\xbe>]|<[^\\\\xbe]\\xbe
Why? This makes it match our string "Gültigkeit" which encoded looks like this "G\xbcltigkeit"

Audit Logs / Triggered Rule Numbers

941310
--3234e523-H-- Message: Warning. Pattern match "\\xbc[^\\xbe>]*[\\xbe>]|<[^\\xbe]*\\xbe" at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \xbcltigkeit in tagen\x22},{\x22einstellungs_id\x22:30,\x22gruppierung\x22:\x22angebotkv\x22,\x22art\x22:\x22mandant\x22,\x22key\x22:\x22kauf_gueltigkeitsdauer\x22,\x22value\x22:\x2228\x22,\x22type\x22:\x22text\x22,\x22options\x22:null,\x22default\x22:\x2214\x22,\x22hilfetext\x22:null,\x22wartbar\x22:\x221\x22,\x22marke_id\x22:0,\x22datum_anlage\x22:\x2223.10.2014 15:06\x22,\x22datum_bearbeitung\x22:\x2223.10.2014 15:06\x22,\x22benutzer_anlage\x22:6,\x22benutzer_bearbeitung\x22:6,\x22bezeic..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] Message: Warning. Pattern match "(?i:(?:[\"'](?:;?\s*?(?:having|select|union)\b\s*?[^\\s]|\s*?!\s*?"'\\w])|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|in ..." at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "183"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: \x22select\x22 found within ARGS:offerData: {\x22id\x22:3377,\x22mandant_id\x22:67,\x22offer_type_id\x22:1,\x22offer_calculationtype_id\x22:1,\x22offer_businesscase_id\x22:1,\x22offer_status_id\x22:1,\x22kontakt_id\x22:219805,\x22kundengruppe\x22:\x22B2C\x22,\x22offer_name\x22:\x22\x22,\x22gewaehrleistung\x22:\x22\x22,\x22garantie\x22:\x22\x22,\x22bemerkung_intern\x22:\x22\x22,\x22bemerkung_extern\x22:\x22\x22,\x22offer_reference_number\x22:202101233,\x22offer_reference_external\x22:\x22\x2..." Message: Rule 7f3211923618 [id "942240"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "254"] - Execution error - PCRE limits exceeded (-8): (null). Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=5,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Warning. Pattern match "\\\\\\\\xbc[^\\\\\\\\xbe>]*[\\\\\\\\xbe>]|<[^\\\\\\\\xbe]*\\\\\\\\xbe" at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \\\\xbcltigkeit in tagen\\\\x22},{\\\\x22einstellungs_id\\\\x22:30,\\\\x22gruppierung\\\\x22:\\\\x22angebotkv\\\\x22,\\\\x22art\\\\x22:\\\\x22mandant\\\\x22,\\\\x22key\\\\x22:\\\\x22kauf_gueltigkeitsdauer\\\\x22,\\\\x22value\\\\x22:\\\\x2228\\\\x22,\\\\x22type\\\\x22:\\\\x22text\\\\x22,\\\\x22options\\\\x22:null,\\\\x22default\\\\x22:\\\\x2214\\\\x22,\\\\x22hilfetext\\\\x22:null,\\\\x22wartbar\\\\x22:\\\\x221\\\\x22,\\\\x22marke_id\\\\x22:0,\\\\x22datum_anlage\\\\x22:\\\\x2223.10.2014 15:06\\\\x22,\\\\x22datum_bearbeitung\\\\x22:\\\\x2223.10.2014 15:06\\\\x22,\\\\x22benutzer_anlage\\\\x22:6,\\\\x22benutzer_bearbeitung\\\\x22:6,\\\\x22bezeic..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Warning. Pattern match "(?i:(?:[\\\\"'|(?:c(?:onnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\\\\\)]?|u(?:nion(?:[\\\\w(\\\\s]?select| select @)|ser\\\\s*?\\\\([^\\\\\\\\)]?)|s(?:chema\\\\s?\\\\([^\\\\\\\\)]?|elect.?\\\\w?user\\\\()|in ..." at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "183"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: \\x22select\\x22 found within ARGS:offerData: {\\x22id\\x22:3377,\\x22mandant_id\\x22:67,\\x22offer_type_id\\x22:1,\\x22offer_calculationtype_id\\x22:1,\\x22offer_businesscase_id\\x22:1,\\x22offer_status_id\\x22:1,\\x22kontakt_id\\x22:219805,\\x22kundengruppe\\x22:\\x22B2C\\x22,\\x22offer_name\\x22:\\x22\\x22,\\x22gewaehrleistung\\x22:\\x22\\x22,\\x22garantie\\x22:\\x22\\x22,\\x22bemerkung_intern\\x22:\\x22\\x22,\\x22bemerkung_extern\\x22:\\x22\\x22,\\x22offer_reference_number\\x22:202101233,\\x22offer_reference_external\\x22:\\x22\\x2..." [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Rule 7f3211923618 [id "942240"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "254"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 62.47.98.110] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=5,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "snipped"] [uri "/crm/dokumente/dokument_pdf/3337373737366535353835306130356139626434656263353362333433336438656161366435333863326231333832393532386230356264316230366531313361626637383234646332656165333266623137373536666430363866646339386531643366333565623434373665613863653765633462313965646164656466553950746a52326473415a78475255666e6e726f706f4e304b415676626b44486373427254706d495453633d"] [unique_id "YQqJyNBZrnK0t4Z4Vmz6@AAAAAQ"]`

Your Environment

CRS version (e.g., v3.2.0): 3.3.2
Paranoia level setting: 1
ModSecurity version (e.g., 2.9.3): 2.9.2-1
Web Server and version (e.g., apache 2.4.41): Apache/2.4.29 (
Operating System and version:Ubuntu 18.04.5

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

The text was updated successfully, but these errors were encountered:

airween · 2021-08-04T14:03:39Z

Hi @stefanpinter,

thanks for your report.

Could you show us your request with curl? I'm afraid without that we can't investigate this issue.

Btw it's interesting that you have two lines with same id (941130), but different content:

Warning. Pattern match "\\xbc[^\\xbe>]*[\\xbe>]|<[^\\xbe]*\\xbe" at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \xbcltigkeit in tagen\x22},{\x22einstellungs_id\x22:30,\x22gruppierung\x22:\x22angebotkv\x22,\x22art\x22:\x22mandant\x22,\x22key\x22:\x22kauf_gueltigkeitsdauer\x22,\x22value\x22:\x2228\x22,\x22type\x22:\x22text\x22,\x22options\x22:null,\x22default\x22:\x2214\x22,\x22hilfetext\x22:null,\x22wartbar\x22:\x221\x22,\x22marke_id\x22:0,\x22datum_anlage\x22:\x2223.10.2014 15:06\x22,\x22datum_bearbeitung\x22:\x2223.10.2014 15:06\x22,\x22benutzer_anlage\x22:6,\x22benutzer_bearbeitung\x22:6,\x22bezeic..."] [severity "CRITICAL"]
Warning. Pattern match "\\\\\\\\xbc[^\\\\\\\\xbe>]*[\\\\\\\\xbe>]|<[^\\\\\\\\xbe]*\\\\\\\\xbe" at ARGS:offerData. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \\\\xbcltigkeit in tagen\\\\x22},{\\\\x22einstellungs_id\\\\x22:30,\\\\x22gruppierung\\\\x22:\\\\x22angebotkv\\\\x22,\\\\x22art\\\\x22:\\\\x22mandant\\\\x22,\\\\x22key\\\\x22:\\\\x22kauf_gueltigkeitsdauer\\\\x22,\\\\x22value\\\\x22:\\\\x2228\\\\x22,\\\\x22type\\\\x22:\\\\x22text\\\\x22,\\\\x22options\\\\x22:null,\\\\x22default\\\\x22:\\\\x2214\\\\x22,\\\\x22hilfetext\\\\x22:null,\\\\x22wartbar\\\\x22:\\\\x221\\\\x22,\\\\x22marke_id\\\\x22:0,\\\\x22datum_anlage\\\\x22:\\\\x2223.10.2014 15:06\\\\x22,\\\\x22datum_bearbeitung\\\\x22:\\\\x2223.10.2014 15:06\\\\x22,\\\\x22benutzer_anlage\\\\x22:6,\\\\x22benutzer_bearbeitung\\\\x22:6,\\\\x22bezeic..."] [severity "CRITICAL"]

Thank you.

stefanpinter · 2021-08-05T06:21:59Z

hi!
sadly, I couldn't make a curl post request to work for now

Github is adding backslashes like crazy...
but in reality this is what is happening indeed.

The rule only has one backslash before each xbc and each xbe, which make it stand for some special symbols:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \

but it actually matches against this:
\\xbc[^\\xbe>]*[\\xbe>]|<[^\\xbe]*\\xbe
with TWO backslashes whereas the additional backslash is escaping the first one, making it not actually match these special symbols

i understand that this might be intentional somehow in this XSS context? can you confirm this?

airween · 2021-08-05T06:58:23Z

hi @stefanpinter,

The rule only has one backslash before each xbc and each xbe, which make it stand for some special symbols:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \

That's correct.

but it actually matches against this:
\\xbc[^\\xbe>]*[\\xbe>]|<[^\\xbe]*\\xbe
with TWO backslashes whereas the additional backslash is escaping the first one, making it not actually match these special symbols

Do you see this pattern in your log? If yes, that's because Apache escapes the \ sequences, it's normal.

i understand that this might be intentional somehow in this XSS context? can you confirm this?

No, I'm not sure this one.

If your application works only from browser, you can press CTRL+SHIFT+I, and check the Network tab. There you can see the requests. If you choose the correct one, and select it by the right button, there will be an option: Copy -> Copy as cURL. Remove the sensitive data, and please share that request with us. It would be good to see the whole request (including headers).

stefanpinter · 2021-08-05T07:45:25Z

with the generated curl command it goes through fine it seems

`* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
old SSL session ID is stale, removing
Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
HTTP/1.1 100 Continue
We are completely uploaded and fine`

airween · 2021-08-05T07:52:13Z

These are just the TLS negotiation phase, we have to see the whole request, including headers. The command itself would be the best.

For eg.:

$ curl -v [your optional headers and other parameters] https://coreruleset.org
* Rebuilt URL to: https://coreruleset.org/
*   Trying 172.67.160.202...
...
...
> GET / HTTP/2
> Host: coreruleset.org
> User-Agent: curl/7.58.0
> Accept: */*
>

stefanpinter · 2021-08-05T08:27:35Z

Hi! Oh, you are right. curl was waiting for some resonse because I had the score threshold at 5000.
so this curl command does work (it is inside the link)

(link deleted)

dune73 · 2021-08-05T08:56:46Z

Link is already gone. :(

When you put things in triple backticks, GH should not add any additional backslashes.

stefanpinter · 2021-08-05T08:59:05Z

Hi dune73! (link deleted)

dune73 · 2021-08-05T11:08:48Z

Thanks @stefanpinter.

Here is the condensed minimal request (30min of work):

curl http://localhost --data-raw 'foo=F%C3%BChrung%3E'

dune73 · 2021-08-06T07:31:53Z

%C3%BC is a UTF-8 ü, a German Umlaut.

3E is >.

So we have Führung> encoded as UTF-8. Führung is a semi-frequent German noun.

stefanpinter · 2021-08-06T12:15:38Z

hi @dune73
Sorry, but what can I do with that? or our webdevs,...?

I can at least confirm that this does the same:
curl -i -v https://host.name --data-raw 'foo=F%C3%BChrung%3E'

`--12fd9040-A--
[06/Aug/2021:14:11:53 +0200] YQ0nCfQir53Tr8213k4W2AAAABA 62.47.98.110 5756 172.21.100.102 443
--12fd9040-B--
POST / HTTP/1.1
Host: host.name
User-Agent: curl/7.68.0
Accept: /
Content-Length: 19
Content-Type: application/x-www-form-urlencoded

--12fd9040-C--
foo=F%C3%BChrung%3E
--12fd9040-F--
HTTP/1.1 403 Forbidden
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 199
Content-Type: text/html; charset=iso-8859-1

--12fd9040-E--

<title>403 Forbidden</title>

Forbidden

You don't have permission to access this resource.

--12fd9040-H--
Message: Warning. Pattern match "\xbc[^\\xbe>][\xbe>]|<[^\\xbe]\xbe" at ARGS:foo.`

dune73 · 2021-08-06T12:22:26Z

Thanks for the confirmation.

No, this is not for you. It's for us. If we want to fix this, we need to be able to test this. That's why I took the time to condense your payload to the minimal payload that triggers the alert.

Now we have that and we can go about fixing this. Or we decide to leave it, since the > is quite indicative of an XSS and it might be better to accept the false positive from a rule set perspective.

In the meantime or if we leave it open, you should write a rule exclusion for this particular case. See the tutorials at https://netnea.com to learn how to do that.

cchamnab · 2021-08-30T03:58:47Z

I also got false positive from this rule with khmer unicode UTF8: ើ (%E1%9E%BE).

dune73 · 2021-09-03T12:38:24Z

Thank you for reporting @Kendokai. This is highly welcome since we get very few report about non-Western language false positive. Can you tell me more about your setup and could you provide a full curl call that triggers this rule (see above)?

franbuehler · 2021-09-20T19:11:11Z

Maybe this problem was already solved by #2107.
I'll try to reproduce and test the false positives against the fix.

Another finding from Walter:
d7e0cf2

dune73 · 2021-09-20T20:05:19Z

Issue covered in the September issue chat.

@franbuehler volunteered to check if this is indeed already solved, including the Russian and Khmer findings.

cchamnab · 2021-09-21T05:32:47Z

@dune73
ModSecurity version: Version 3.2.0 - 2019-09-24

--73997253-F-- HTTP/1.1 403 Forbidden X-Frame-Options: SAMEORIGIN Content-Length: 199 Connection: close Content-Type: text/html; charset=iso-8859-1 --73997253-H-- Message: Warning. Pattern match "[\\xbc\\xbe].*[\\xbc\\xbe>]|[\\xbc\\xbe<].*[\\xbc\\xbe]" at ARGS:model[description]. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "646"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected."] [data "Matched Data: \xbc\x85 \x87\xb6\x94\xd2\x9a\x97\xc1\x91\x94\x93\xd2\x8f\xc4\x84\x9f\xc4\x9a \x9f\x80\xd2\x8f\xb7\x9f\x98 \x87\xb6\x98\xbd\x99\x94\xd2\x9a\x8e\xb7\x8f\x97\xb6\x96\x9f\xc6\x9a\xb6\x94\xcb\x96\xb7\x92\xb8\x98\x84\xd2\x82\x9b (\x95\x9b\xb7\x8f\x95\x9b\x81\xd2\x98\xc2\x9a)\x0d\x0a\x91\xc6\x93\xb6\x80\xcb\x91\xc6\x93\x84 \xd6 098 582 345 \x92\xd2\x9c\xbe found within ARGS:model[description]: \xa2\x84\xd2\x9a\xbb\x8f\x8f\xbc\x85 \x87\xb6\x94\xd2\x9a\x97\xc1\x91\x94\x93\xd2\x8f\xc4\x84\x9f\xc4\x..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "par 8000 anoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 45.201.213.251] ModSecurity: Warning. Pattern match "[\\\\\\\\xbc\\\\\\\\xbe].*[\\\\\\\\xbc\\\\\\\\xbe>]|[\\\\\\\\xbc\\\\\\\\xbe<].*[\\\\\\\\xbc\\\\\\\\xbe]" at ARGS:model[description]. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "646"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected."] [data "Matched Data: \\\\xbc\\\\x85 \\\\x87\\\\xb6\\\\x94\\\\xd2\\\\x9a\\\\x97\\\\xc1\\\\x91\\\\x94\\\\x93\\\\xd2\\\\x8f\\\\xc4\\\\x84\\\\x9f\\\\xc4\\\\x9a \\\\x9f\\\\x80\\\\xd2\\\\x8f\\\\xb7\\\\x9f\\\\x98 \\\\x87\\\\xb6\\\\x98\\\\xbd\\\\x99\\\\x94\\\\xd2\\\\x9a\\\\x8e\\\\xb7\\\\x8f\\\\x97\\\\xb6\\\\x96\\\\x9f\\\\xc6\\\\x9a\\\\xb6\\\\x94\\\\xcb\\\\x96\\\\xb7\\\\x92\\\\xb8\\\\x98\\\\x84\\\\xd2\\\\x82\\\\x9b (\\\\x95\\\\x9b\\\\xb7\\\\x8f\\\\x95\\\\x9b\\\\x81\\\\xd2\\\\x98\\\\xc2\\\\x9a)\\\\x0d\\\\x0a\\\\x91\\\\xc6\\\\x93\\\\xb6\\\\x80\\\\xcb\\\\x91\\\\xc6\\\\x93\\\\x84 \\\\xd6 098 582 345 \\\\x92\\\\xd2\\\\x9c\\\\xbe found within ARGS:model[description]: \\\\xa2\\\\x84\\\\xd2\\\\x9a\\\\xbb\\\\x8f\\\\x8f\\\\xbc\\\\x85 \\\\x87\\\\xb6\\\\x94\\\\xd2\\\\x9a\\\\x97\\\\xc1\\\\x91\\\\x94\\\\x93\\\\xd2\\\\x8f\\\\xc4\\\\x84\\\\x9f\\\\xc4\\\\x..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ [hostname ""] [uri ""] [unique_id "YSxVJwt1BJ8HurwGGrLCawAAAAU"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 45.201.213.251] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "v-modernprintingservices.com"] [uri "/admin/invoice-namecard/31"] [unique_id "YSxVJwt1BJ8HurwGGrLCawAAAAU"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 45.201.213.251] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname ""] [uri ""] [unique_id "YSxVJwt1BJ8HurwGGrLCawAAAAU"] Action: Intercepted (phase 2) Stopwatch: 1630295335449896 7175 (- - -) Stopwatch2: 1630295335449896 7175; combined=5103, p1=452, p2=4497, p3=0, p4=0, p5=154, sr=78, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0. Server: Apache Engine-Mode: "ENABLED"

dune73 · 2021-09-22T08:14:37Z

Thank you @Kendokai.

franbuehler · 2021-10-26T14:39:29Z

As promised I tested this FP with the curl call http://localhost --data-raw 'foo=F%C3%BChrung%3E' (thank you @dune73 for providing it!) against the current v3.4/dev branch and it's gone!
As already assumed the FP has been resolved with @theseion PR #2107 (merged on Aug 2nd). The solution will be available in CRS 3.4.
I did not test the second one because I don't see the call in the logfile, but I strongly assume that it is resolved by the mentioned PR as well.

I will close this issue here. Please open a new one if you think this will not be resolved or if you think it's not resolved by the current dev branch.

diqidoq · 2022-09-03T11:31:28Z

From reading the issue the fix has been added to a 3.4/dev branch? ok but where I can find it and where can I add it. The German "ü" issue still exist in the latest official release and users need a not-dev-branch fix to make mod_security2 work on German sites.

8000

azurit · 2022-09-03T11:38:46Z

@diqidoq You can find it here:
https://github.com/coreruleset/coreruleset/pull/2107/files

chrisi51 · 2024-07-18T14:15:00Z

btw still a problem on ubuntu 22 with installed modsecurity-crs package, which brings 3.3.2-1 =(
Im new to modsecurity and i thought it might be better idea to install a package which might be up2date instead of downloading a ruleset once and never think about again while its getting older and older.

dune73 · 2024-07-19T04:43:28Z

You are totally right. Unfortunately, Ubuntu and Debian refuse to upgrade to latest releases (even in the 3.3 release line). We're at it, but it's not going anywhere.

If you prefer packages, then I suggest you check out https://modsecurity.digitalwave.hu/.

Ervin Hegedüs / @airween who is providing these is also providing the official debian / ubuntu packages (they are just not picking them up).

chrisi51 · 2024-07-26T13:12:20Z

just to make sure, i got you correct. this repo "replaces" modsecurity-crs so that i can uninstall modsecurity-crs?

airween · 2024-07-26T13:23:25Z

Hi @chrisi51,

just to make sure, i got you correct. this repo "replaces" modsecurity-crs so that i can uninstall modsecurity-crs?

you don't need to uninstall that package. If you set up Digitalwave's repository and do an upgrade your system will upgrade your existing owasp-modsecurity-crs package to 3.3.5.

Please be careful which packages you allow to install from that repository!

stefanpinter added the ➕ False Positive label Aug 4, 2021

dune73 mentioned this issue Sep 19, 2021

Monthly Chat Agenda September 2021 (2021-09-06 and 2021-09-20) False Positive Meeting Agenda #2185

Closed

franbuehler self-assigned this Sep 20, 2021

franbuehler closed this as completed Oct 26, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

941310 - Double escape and problem with german ü #2171

941310 - Double escape and problem with german ü #2171

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

941310 - Double escape and problem with german ü #2171

941310 - Double escape and problem with german ü #2171

Comments

Uh oh!

Description

Audit Logs / Triggered Rule Numbers

Your Environment

Confirmation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Forbidden

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!